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Abstract 

Dependent pattern matching is an intuitive way to write programs 
and proofs in dependently typed languages. It is reminiscent of 
both pattern matching in functional languages and case analysis 
in on-paper mathematics. However, in general it is incompatible 
with new type theories such as homotopy type theory (HoTT). As a 
consequence, proofs in such theories are typically harder to write 
and to understand. The source of this incompatibility is the reliance 
of dependent pattern matching on the so-called K axiom - also 
known as the uniqueness of identity proofs - which is inadmissible 
in HoTT. The Agda language supports an experimental criterion to 
detect definitions by pattern matching that make use of the K axiom, 
but so far it lacked a formal correctness proof. 

In this paper, we propose a new criterion for dependent pat- 
tern matching without K, and prove it correct by a translation to 
eliminators in the style of Goguen et al. (2006). Our criterion both 
allows more good definitions than existing proposals, and solves 
a previously undetected problem in the criterion offered by Agda. 
It has been implemented in Agda and is the first to be supported 
by a formal proof. Thus it brings the benefits of dependent pattern 
matching to contexts where we cannot assume K, such as HoTT. It 
also points the way to new forms of dependent pattern matching, for 
example on higher inductive types. 

Categories and Subject Descriptors F.3.3 [Logics and Meanings 
of Programs] : Studies of Program Constructs - functional constructs, 
program and recursion schemes; D.3.3 [Programming Languages]: 
Language Constructs and Features - data types and structures, 
patterns, recursion 

Keywords Dependent Pattern Matching, K Axiom, Homotopy 
Type Theory, Agda 

1. Introduction 

The case for dependent pattern matching. Dependent pattern 
matching (Coquand 1992) is a technique for writing functions in 
languages based on dependent type theory, such as Agda (Norell 
2007), Coq (Sozeau 2010), and Idris (Brady 2013). It allows us 
to define functions in a style similar to functional programming 
languages such as Haskell, by giving a number of equalities called 



Permission to make digital or hard copies of all or part of this work for personal or 
classroom use is granted without fee provided that copies are not made or distributed 
for profit or commercial advantage and that copies bear this notice and the full citation 
on the first page. Copyrights for components of this work owned by others than ACM 
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, 
to post on servers or to redistribute to lists, requires prior specific permission and/or a 
fee. Request permissions from permissions@acm.org. 
ICFP '14, September 1-6, 2014, Gothenburg, Sweden. 
Copyright © 2014 ACM 978-1-4503-2873-9 /14/09. . . $15.00. 
http://dx.doi.org/10. 1 145/2628 136.2628 139 



clauses. For example, the function half : N — > N can be defined as 
half : N — > N 

half zero = zero ... 

half (sue zero) = zero 

half (sue (sue k)) = sue (half k) 

Note that pattern matching combines two powerful programming 
features, namely case analysis and recursion. 

Additionally, dependent pattern matching can be used to write 
proofs (in the form of dependently typed functions). For example, 
we can prove the transitivity of the prepositional equality x = y 
(Martin-Lof 1984) by pattern matching on its only constructor ref 1 
of type x = x: 

trans : (x y z : A) — > x = y — > y = z — > x = z 

trans x \_x\ [_x\ ref 1 ref 1 = ref 1 

Inaccessible patterns, like [^J in this example, witness the fact 
that only one type-correct argument can be in that position. Indeed, 
matching on a proof of x = y with ref 1 : x = x forces x and y to 
be the same. Another example is the proof cong that any function 
maps equal arguments to equal results: 

cong :(f:A-> B)(x y: A)^x = y^fx = fy 

cong / x [x\ ref 1 = ref 1 

Proofs by dependent pattern matching are typically much shorter 
and more readable than ones that use the classical datatype elimi- 
nators associated with each inductive family. For example, let < 
be the usual ordering on N defined as an inductive family (Dybjer 
1991) defined by the two constructors lz and Is: 

lz : (n : N) — > zero < n 

(4) 

Is : (m n : N) — > rn < n — > sue m < sue n 

We can prove antisymmetry of this relation by pattern matching as 
follows: 

antisym : (to n : N) — > m < n — > n < m — > to = n 
antisym [zeroj [zeroj (lz [zeroj ) (lz [zeroj) = 

refl (5) 
antisym [sue toJ [sue nj (is mux) (is \ n\ [mj y) = 

cong sue (antisym to n x y) 

Pattern matching allows us to skip the two cases where one of the 
arguments is lz n and the other is Is n' ml because zero can 
never be of the form sue to' (this is called the conflict rule). In the 
second clause, to' (the first argument of the second Is) was replaced 
by \n\ because sue to' and sue n were forced to be equal, and 
similarly n' (its second argument) is replaced by [m\ (this is called 
the injectivity rule). 

Desugaring pattern matching. In a dependent type theory with 
inductive families but without pattern matching, functions have 
to be written using datatype eliminators. They will be defined 
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antisym : (m n: N)—>m<n—>n<m-)m = n 
antisym = elim< (Am; n; _. n < m — > m = n) 
(An; e. elim< (An; m; _ . m = zero — > m = n) 
(An; e. e) 

(Afc; Z; _; _; e. elimj_ (A_ . sue I = sue /c) 

(noConf n (sue Z) zero e)) 
n zero e ref 1) 
(Am; n; _; //; g. cong sue 
(H 

(elim< (Afc; Z;_ . k = sue n — > Z = sue m — » n < m) 
(A_; e; _. elimx (A_ . n < m) 
(noConfr-j zero (sue n) e)) 
(AZc; Z; e; _; x; y. subst (An. n < m) 
(noConiN (sue fe) (sue n) 
(subst (Am. fc < m) 

(noConf h (sue Z) (sue m) y) e)) 
(sue n) (sue m) y ref 1 ref 1))) 



Figure 1. This proof of the antisymmetry of < is more complex 
than the proof by pattern matching (5) because it uses only the stan- 
dard datatype eliminators (see Section 3.1) and the "no confusion" 
property of the natural numbers. No confusion can be constructed 
from the eliminator for N as well (see Section 3.4). 



formally in Section 3.1, but Figure 1 already gives an alternative 
definition of antisym as an example using eliminators only. All the 
equational reasoning that was done automatically in the definition 
by pattern matching now has to be done explicitly. The proof with 
eliminators also requires considerable cleverness for the construction 
of the motive (McBride 2002) of each eliminator, while this is done 
automatically in the definition by pattern matching. So it is clearly 
preferable to use pattern matching for this proof. 

As shown by Goguen et al. (2006), all definitions by dependent 
pattern matching can be translated to ones that only use eliminators. 
However, for this translation they depend on the so-called K axiom. 
Coquand (1992) already observed that pattern matching allows 
proving this K axiom: 

K : (P : a = a -> Set) -> 

(p:Prefl)(e:oEo)->Pe (6) 
K P p ref 1 = p 

The K axiom is equivalent with the uniqueness of identity proofs 
principle (UIP), which states that any two proofs of x = y must be 
equal. As observed by Hofmann and Streicher (1994), the K axiom 
does not follow from the standard rules of type theory, but it is 
compatible with them. 

So far, none of the examples we gave needs the K axiom for 
the translation to eliminators (except for the definition of K itself). 
For the next example, remember that in type theory there is no 
strict boundary between types and terms, so we can form equations 
between types as well, for example Bool = Bool. Given such an 
equation between types, we can coerce terms of the first type to the 
other using the function coerce : A = B — > A — > B (which can be 
constructed by pattern matching). Now we can use pattern matching 
to prove that coercing true by any proof of Bool = Bool results in 



true: 

coerce-id : (e : Bool = Bool) — > coerce e true = true 

(7) 

coerce-id ref 1 = ref 1 

This can be desugared to 

coerce-id = Ae. K (Ae. coerce e true = true) ref 1 e (8) 

The K axiom is necessary to deal with reflexive equations such as 
Bool = Bool in this example. 

Pattern matching in HoTT. An emerging field within dependent 
type theory is homotopy type theory (HoTT) (The Univalent Foun- 
dations Program 2013). It gives a new interpretation of terms of 
type x = y as paths from x to y. Many basic constructions in HoTT 
can be written very elegantly using pattern matching, for exam- 
ple trans (2) corresponds to the composition of two paths, and 
cong (3) can be interpreted as a proof that all functions in HoTT are 
continuous (in a certain sense). 

One of the core elements of HoTT is the univalence axiom. This 
axiom states roughly that any two isomorphic types can be identified, 
i.e. if there is a function / : A —> B which has both a left and a 
right inverse, then it gives us a proof ua / of A = B. Moreover, 
this proof satisfies coerce (ua /) x = / x. Univalence captures 
the common mathematical practice of informal reasoning "up to 
isomorphism" in a nice and formalized way. It also has a number of 
useful consequences, such as functional extensionality . 

However, the univalence axiom is incompatible with dependent 
pattern matching. For example, we can construct a function swap : 
Bool — > Bool such that swap true = false and vice versa. 
This function is its own inverse, so by univalence it gives us a 
proof ua swap of Bool = Bool such that coercing true along this 
proof results in false. Together with the proof coerce-id (7), this 
leads to a proof of the absurdity true = false. This has forced 
people working on HoTT to avoid using pattern matching or risk 
unsoundness. 

Avoiding K. The source of the incompatibility between univalence 
and dependent pattern matching is that pattern matching relies on 
the K axiom. If we could somehow restrict definitions by pattern 
matching so that we could translate them to type theory with 
eliminators but without the K axiom, then we would be able to use 
pattern matching in HoTT. One attempt to achieve this is an option 
in Agda called -without-K (Norell et al. 2012). When enabled, Agda 
attempts to detect definitions by pattern matching that make use of 
the K axiom by means of a syntactic check. In theory, this option 
should allow people to use pattern matching in a safe way when it is 
undesirable to assume K. However, the option has been criticized 
many times, for being too restrictive (Sicard-Ramrrez 2013), for 
having unclear semantics (Reed 2013), and for containing errors 
(Altenkirch 2012; Cockx 2014). These errors allowed one to prove 
(weaker versions of) the K axiom. While errors are typically fixed 
quickly after being found, this situation really calls for a more in- 
depth investigation of dependent pattern matching without K. 

Contributions. 

' We present a new criterion that describes what kind of definitions 
by pattern matching are still allowed if we do not assume K. This 
criterion is strictly more general than previous attempts. 

• We give a formal proof that definitions by pattern matching 
satisfying this criterion are conservative over standard type 
theory by translating them to eliminators in the style of Goguen 
et al. (2006), but without relying on the K axiom. 

• Our criterion has been implemented as a patch to Agda. We 
test it on a body of examples in order to show its adequacy, 
soundness, and generality. As of Agda version 2.4.0 (released 
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on June 5, 2014), our implementation replaces the old version 
of -without-K. 

• Finally, we give an idea how to make pattern matching without K 
even less restrictive by analyzing which types satisfy K without 
assuming it as an axiom. Future work is still needed to make this 
analysis more robust. 

Overview. The rest of this paper is organized as follows. In section 
2, we describe our criterion for pattern matching without K and 
compare our implementation with the current one in Agda. Section 
3 contains the main technical contribution of this paper: a proof 
that definitions by pattern matching satisfying our criterion can be 
translated to eliminators without using K. In section 4, we discuss 
how pattern matching without K can be made less restrictive. Finally, 
we discuss related work in section 5. 

Supplementary material for this paper can be found 
online at http://people.cs.kuleuven.be/~jesper.cockx/ 
Without-K/. This page contains the implementation of our cri- 
terion in Agda, Agda files containing the examples given in this 
paper, and Agda files illustrating parts of the proof in Section 3. 

2. The criterion 

A definition by pattern matching can be thought of as given by a 
number of case splits on the arguments. For example, the function 
half : N — > N in Definition 1 is defined by first doing a case 
split on the argument n : N - giving us two cases n = zero and 
n = sue m - and then another case split on m. For definitions like 
this one, each case split corresponds exactly to one application of 
the standard eliminator for N, hence the K axiom is not needed. 

Things get more complicated for an inductive family (Dybjer 
1991) such as Fin n, the canonical finite set of n elements, or 
m < n, the type of proofs that m is smaller than or equal to n. 
When splitting on a type from an inductive family, we need to apply 
unification in order to determine the possible cases. This unification 
algorithm depends crucially on the K axiom, so we have to restrict 
it in order to remove this dependence. 

In this section, we first describe the unification algorithm used 
by Goguen et al. (2006). Next, we describe our restricted unification 
algorithm that does not depend on K. We also compare our criterion 
with the syntactic criterion for pattern matching without K in Agda. 
Finally, we give a short evaluation of our implementation. 

2.1 Case splitting by unification of the indices 

When checking a definition by pattern matching, we must decide 
which constructors can be used to construct a term of a particular 
type, and under which constraints. For example, consider the 
inductive family m < n with constructors lz and Is as given in 
Definition 4. Suppose we want to do a case split on a variable of type 
k < k, then we have to decide for what kind of arguments the two 
constructors give a result of the form k < k. In the case of lz, this 
is when both k and the argument n are equal to zero, while for Is, 
this is when the two arguments m and n are equal and k = sue n. 

In general, suppose we are case splitting on a variable x : D u 
where D is an inductive family with indices u (we consider D 
to already be applied to its parameters, if any). Suppose D has 
constructors ci with return type D Vi for i = 1, . . . , k, then we 
have to unify u with each of the Vi. Unification is the process of 
searching for unifiers, i.e. substitutions a such that ua = ViO. 
A unification problem is represented as a list of equations ui = 
vn, . . . ,u n = Vi„, and the following five unification transitions are 
used to simplify the problem step by step: 

Deletion: x = x, 6 =>■ O 

Solution: x = t, B =>■ Q[x h-> t] (if x is not free in t) 
Injectivity: cs = cf,0^s=f,9 



Conflict: ci s — c 2 t, 0 => _L (if ci / c 2 ) 
Cycle: x = c p[x], 6 => _L (if x -< c p[x]) 

Exhaustively applying these rules whenever they are applicable 
terminates by the usual argument (Jouannaud and Kirchner 1990), 
with three possible outcomes: 

Positive success: All equations have been solved, yielding a most 
general unifier a. 

Negative success: Either the conflict or the cycle rule applies, 
meaning that there exist no unifiers. 

Failure: An equation is reached for which no transition applies, 
meaning that the problem is too hard to be solved (by this 
unification algorithm). 

This algorithm is complete for constructor forms: if both u and v 
are built from constructors and variables only, then unification will 
never result in a failure. 

Case splitting succeeds if unification of u with each of the v-i 
succeeds (either positively or negatively). If all of them succeed 
negatively, we replace x by an absurd pattern 0, marking that case 
splitting resulted in zero cases. 1 If on the other hand at least one 
of them succeeds positively, we get the same number of new cases 
where x has been replaced by Ci y and y : Aj are fresh variables. 
To each of these cases, we then apply the substitution a% constructed 
by unification. For example, a function / : [k : N) — > k<k — >• P k 
can be defined by the following patterns: 

/ [zeroj (lz [zeroj ) = . . . 

/ [sue nj (is n; [nj) = . . . 

Here, [• • -J marks an inaccessible pattern: it is not part of a case 
split, but rather computed by unification. The substitution a, is also 
applied to the result type: in the first clause, the right-hand side 
should have type P zero, while in the second one it should have 
type P (sue n). 

2.2 Restricting the unification rules 

Our criterion for pattern matching without K works by limiting the 
unification algorithm in two ways: 

• It is not allowed to use the deletion step. 

• When applying the injectivity step on the equation c s = c i 
where c s,ci : D u, the indices u should be self-unifiable, i.e. 
unification of u with itself should succeed positively (while still 
adhering to these two restrictions). 

This inevitably means that unification will fail more often. 
However, if unification results in a success (a positive or negative 
one) then we know that the original rules would have given the same 
result. Where the original algorithm was complete for constructor 
forms, our modified version is only complete for linear constructor 
forms (i.e. ones where each variable occurs only once). 

As a first example, our criterion allows the definition of the 
standard J-eliminator for the prepositional equality (also known as 
the principle of based path induction in HoTT) by pattern matching: 

J : (P : (b : A) -> a = b -> Set) -> 

(p : Porefl)(6 : A)(e : a = b) -> Pbe (10) 

J P p [a] ref 1 = p 

The unification problem for the case split on e : a = b with the 
constructor ref 1 : a = a is given by b — a. Unification succeeds 
positively after one solution step, with the most general unifier 



1 The reason for replacing x by an absurd pattern instead of removing the 
pattern entirely, is to keep coverage checking decidable (Goguen et al. 2006). 
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[b h-> a] as the result. Likewise, the definitions of trans (2), cong 
(3), and antisym (5) in the introduction are also accepted. 

In contrast, the definition of K by pattern matching is not allowed, 
as case splitting on the argument of type a = a produces a unification 
problem a = a, which fails without the deletion step of the 
unification algorithm. 

K : (P : a = a -> Set) -> 

(p : P refl)(e : a = a) P e (11) 

K P p refl = p 

This already explains the need for the first restriction to the unifi- 
cation algorithm. As an example of why the second restriction is 
needed, consider the following weaker variant of K: 

weakK : (P : refl = a =a ref 1 — > Set) — > 

(p : P ref l)(e : ref 1 = a = a ref 1) ->Pe (12) 

weakK P p refl — p 

Like the regular K, this weakK does not follow from the standard 
rules of type theory and is incompatible with univalence (Kraus 
and Sattler 2013). However, since refl is a constructor without 
any arguments, it would be accepted if we did not have the second 
restriction. 

2.3 Comparison with the syntactic criterion 

So far, the only credible proposal of a criterion for pattern matching 
without K was the syntactic criterion used by Agda. So how does 
our criterion compare to it? One reason to prefer our criterion is that 
it is more amenable to the correctness proof given in Section 3. But 
we should also compare their generality, i.e. what kind of definitions 
are still allowed by each. The criterion currently used in Agda for 
pattern matching without K is specified as follows: 

If the flag is activated, then Agda only accepts certain 
case-splits. If the type of the variable to be split is D pars 
ixs, where D is a data (or record) type, pars stands for 
the parameters, and ixs the indices, then the following 
requirements must be satisfied: 

• The indices ixs must be applications of constructors (or 
literals) to distinct variables. Constructors are usually not 
applied to parameters, but for the purposes of this check 
constructor parameters are treated as other arguments. 

• These distinct variables must not be free in pars. 

This criterion implies that the deletion rule is never used during 
unification. To see why this is true, note that it guarantees that 
all unification problems generated by pattern matching are of the 
form u — Vi where u consists of constructors applied to free 
variables and each variable occurs only once in u. Moreover, since 
new constructors introduced by case splitting are applied to fresh 
variables, the variables in u are not free in Vi. Both the solution and 
the injectivity step preserve these three properties, hence we will 
never reach an equation of the form x = x. 

On the other hand, the syntactic criterion does not imply that 
the indices are self-unifiable when applying the injectivity rule. But 
this is actually a bug in the syntactic criterion, allowing one to prove 
a weaker version of the K axiom (Cockx 2014). So the fact that our 
criterion is more restrictive in this case is actually a good thing. 

Apart from that issue, our criterion is in fact strictly more general 
than the syntactic one. For example, the syntactic criterion allows us 
to pattern match with r e f 1 on an argument of type k + l = m (where 
k, I, m : N are previous arguments), but not on an argument of type 
m = k + I. This asymmetry is created by a technical detail in the 
standard definition of prepositional equality as an inductive family: 
the first argument is a parameter (so it can be anything), while the 
second one is an index (so it must consist of constructors applied 



to free variables). In contrast, our criterion allows both variants 
because we look at the unifications that are performed instead of 
syntactical artefacts like the distinction between a parameter and 
an index. Similarly, Agda's syntactic criterion does not allow us to 
pattern match on an argument of type n < n because the variable n 
occurs twice. But this turns out to be over-conservative, as evidenced 
by the fact that it is allowed by our criterion. 

Another advantage of our criterion is that unlike the syntactic cri- 
terion, it does not put any requirements on the datatype parameters. 
This is very useful when we need injectivity of a constructor of a 
parametrized data type. For example, the syntactic criterion does not 
allow case splitting on an argument of type x :: xs = y :: ys where 
: : is the list constructor, since the type A of x and y is a parameter 
and the constructor :: is considered to be applied to this parameter. 
Our criterion has no such problems. 

Unfortunately, our criterion still has some limitations. For exam- 
ple, when working with the < relation on finite sets Fin n, we can- 
not pattern match on an argument of type i< i where i : Fin n. This 
is because unification gets stuck on the problem is n x — is n y, 
where the deletion rule is needed to remove the equation n = n. 
However, this definition is also refused by the syntactic criterion. In 
Section 4, we discuss a possible solution to this problem. 

2.4 Implementation and evaluation 

Our new criterion for pattern matching without K has been imple- 
mented as a patch to Agda. We used it with a number of Agda 
programs in order to test it for adequacy, soundness, and generality. 

Adequacy. In order to test the adequacy of our approach, we tested 
it on a number of small examples that should be definable without K, 
such as the functions half (1), trans (2), cong (3), and antisym 
(5) from the introduction. We also tested it on a body of Agda code 
related to prepositional equality and HoTT by Danielsson (2013), 
which was written with Agda's current -without-K flag in mind. All 
these examples are accepted without problems. 

Soundness. To test the soundness of our criterion, we also tested 
it on a number of variations on the K axiom and weaker versions of 
it. For example, when we try to define K as in Definition 1 1, we get 
the following error message: 

Cannot eliminate reflexive equation x = x of type A because 
K has been disabled (when checking that the pattern refl 
has type x = x). 

Pattern matching with refl on a proof of Bool = Bool is also 
prohibited by our check. Similarly, the elimination rule for heteroge- 
neous equality given by McBride (2000) (which is equivalent with 
K) is rejected, as are the weaker versions of K given by Altenkirch 
(2012) and Cockx (2014). 

Generality. Finally, to test the generality of our approach, we gave 
it some definitions that are rejected by Agda's syntactic criterion, 
but do not actually rely on the K axiom. For example, definitions 
involving case splitting on types such as m < m, k = I + m, and 
x = / y are accepted. Another notable advantage of our criterion is 
that adding parameters to a data type will never change the validity 
of a definition by pattern matching. This is especially useful in Agda 
since module parameters are also considered to be parameters of the 
datatypes defined inside that module (Norell 2007, chapter 4). So 
with the syntactic criterion, moving a definition to another module 
can cause an error, but with our criterion this is no longer the case. 

3. Eliminating pattern matching without K 

In this section, we show that definitions by dependent pattern 
matching satisfying our criterion can be translated to type theory 
with universes and inductive families, without using the K axiom. 
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Our proof follows the same general outline as the proof by Goguen 
et al. (2006), but there are two important differences: 

• We work with the homogeneous propositional equality instead 
of the heterogeneous version. The reason is that the elimination 
rule they use for the heterogeneous equality is equivalent with 
K (McBride 2000), something we wish to avoid. Using the 
homogeneous equality also means that we have to work a little 
harder to express equality between two sequences of terms in 
the same telescope. 

• Working with the homogeneous equality leads us very natu- 
rally to upgraded versions of the unification transitions given 
by Goguen et al. (2006), where the return type is dependent on 
the equality proof. The construction of these upgraded transi- 
tions will make clear why the two restrictions to the unification 
algorithm given in Section 2.2 are really needed. 

The general idea of the proof is as follows. First, the definition 
by pattern matching is translated to a case tree. This translation 
is described in detail by Norell (2007), and we will not repeat 
it here. Each leaf node of the case tree corresponds to a clause 
f p = e, i.e. it defines f on arguments that match the pattern p, 
and each internal node corresponds to a case split of p on some 
variable x : D u into patterns pi, . . . ,p n . If we can assemble the 
definitions of f pi, . . . , f p n into a definition of f p, then we can 
work backwards from the leaf nodes towards the root, ultimately 
obtaining a definition of f on arbitrary variables. 

So we need to know how to assemble the definitions of 
f pi , . . . , f p n into a definition of f p. This assembly proceeds 
in two steps. First we apply a technique called basic caseo-analysis 
at u; x. This splits the problem into one subproblem for each con- 
structor Ci of D, and gives us proofs of the equations u — Vi and 
x = c y. The second step is to apply specialization by unification, 
simplifying these equations step by step. The unification transitions 
make sure that we do not have to fill in anything for a negative 
success. So finally, we fill in the translated definition of f pi for 
each positive success. 

In general there can be recursive calls to the function f in each 
clause f p = e. These recursive calls are required to be structurally 
recursive on some argument x : D u of i . It is important for the proof 
that the type of a; in A is already a data type, not just the type of x 
in each of the clauses separately. This allows us to use well-founded 
recursion on D to obtain an inductive hypothesis H , asserting that 
i is already defined on arguments structurally smaller than x. This 
inductive hypothesis is then used to replace the recursive calls to f 
in e. 

The challenge is then to construct all these techniques (case 
analysis, specialization by unification, and structural recursion) as 
terms internal to type theory. Before we begin this construction, we 
repeat some standard definitions from type theory (Section 3.1) and 
dependent pattern matching (Section 3.2). We continue by showing 
how the homogeneous propositional equality can be used to express 
equality of sequences (Section 3.3). We then recall some standard 
equipment for inductive datatypes given by McBride et al. (2006): 
case analysis, structural recursion, no confusion, and acyclicity, 
of which the latter two are slightly adapted to work with the 
homogeneous equality (Section 3.4). No confusion and acyclicity 
are subsequently used to construct the unification transitions as terms 
inside type theory (Section 3.5). Finally, all these tools are brought 
together for the translation of case trees to eliminators (Section 3.6). 

3.1 Type theory 

As our version of type theory, we use Luo's Unified Theory of De- 
pendent Types (UTT) with dependent products, inductive families, 
and universes (Luo 1994). We omit the meta-level logical framework 
and the impredicative universe of propositions because they are not 
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Figure 2. The core formal rules of UTT, including dependent 
function types (a; : A) — > B, an infinite hierarchy of universes 
Seto, Seti, Set2, . . ., and /3ry-equality. 

needed for our current work. The formal rules of the version of UTT 
we use are summarized in Fig. 2. 

Contexts and substitutions. We use Greek capitals T, A, . . . for 
contexts, capitals T,U, . . . for types, and small letters t,u, . . . for 
terms. A list of terms is indicated by a bar above the letter, for 
example i. Contexts double as the type of such a list of terms, 
also called a telescope, so we can write for example i : V where 
r = (m : N)(p : m = zero) and t — zero; ref 1. Note that the 
empty context e is inhabited by the empty list (). The simultaneous 
substitution of the terms i for the variables in the context T is written 
as [T h-> t\ . We denote substitutions by small Greek letters a, r, . . . 

Elimination operators. For any telescope H, we define a H- 
elimination operator (McBride 2002) to be any function with a 
type of the form 

(P : S -> Seti) 

(mi : Ai -> P si) . . . (m„ :A„->Ps„)^ (13) 
(t : E) -> P i 

We call S the target, P the motive, and mi , . . . , m n the methods of 
the elimination operator. The reader may think of a H-elimination 
operator as a way to transform a problem into a set of subproblems. 
In the type shown above, the original problem is to construct a result 
of type P t when given an arbitrary list of values t in the telescope 
H. This original problem is transformed into n sub-problems given 
by each of the methods: the ifh subproblem is to construct a result 
of type P Si when given an arbitrary value satisfying telescope 
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Aj. The elimination operator's type can be read as a function that 
transforms solutions for the sub-problems into a solution for the 
original problem. 

Inductive families. Inductive families (Dybjer 1991) are (depen- 
dent) types inductively defined by a number of constructors, for ex- 
ample N is defined by the constructors zero : N and sue : N — > N. 
Inductive families can also have parameters and indices, for exam- 
ple Vec A n is an inductive family with one parameter A : Set, 
one index n : N, and two constructors nil : Vec A zero and 
cons : (n : N) — > A — > Vec A n — > Vec A (sue n). Each 
inductive family comes equipped with a datatype eliminator, for 
example the eliminator for N is 

elimpj : (P : N — > Set;) — > (m zer o : P zero) — > 

(m suc :(n:N)-)Pn-tP (sue n)) -> (14) 

(ti:N)->Pn 

In general, let D be an inductive family. Since everything we do in 
this paper is parametric in the datatype parameters of D, we consider 
D to be already applied to (arbitrary) parameters. So D is defined by 
the telescope S of the indices and the constructors 

Ci : Ai -> ($ii -> D Vn) ($ in , ~> D C inj ) -> D Mj 

(15) 

fori = 1, . . . , k. We write D for the telescope (it : S)(x : D u). The 
standard eliminator for D is a D-elimination operator with methods 
mi, . . . , mj; where 

rm : (£ : Ai) — > 

(xi : $ii -> D Cji) • • • (x ni : $ in< -> D S ini ) -> 
(ftl : (Si : $ii) -> P v»i (n Si)) (16) 
(ftn< : (*«, : -> -P (in, s„J) -> 

P 5j (ci . . . x ni ) 
i.e. it is of the form 

elim D : (P : D — > Seti)(mi : ...)... (ntk :...)—> 

- ^ d- (17) 
(a; : D) — > P x 

where the types of mi, ... , rrik are as given above. 

Definitional and propositional equality. In (intensional) type the- 
ory, there are two distinct notions of equality. On the one hand, 
two terms s and t are definitionally equal (or convertible) if we 
can derive V h s = t : T, i.e. if s and t are equal up to /3jj- 
conversion. On the other hand, two terms s and t are propositionally 
equal if we can prove their equality, i.e. if we can give a term of 
type s = t. Propositional equality was introduced by Martin-Lof 
(1984). In UTT, it can be defined as an inductive family with two 
parameters A : Seti and a : A, one index b : A, and one con- 
structor ref 1 : a = a. The standard eliminator for this datatype 
is exactly the J rule (10). Substitution by a propositional equality 
subst : (P : A — > Seti) ~^x = y^Px^Py can readily 
be defined from J by dropping the dependence of P on the equal- 
ity proof in the type of J. In the style of HoTT, we write e* for 
subst P e when P is clear from the context. 

3.2 Definitions by pattern matching 

A definition by pattern matching of a function f consists of a number 
of equalities called clauses, which are of the form f p — t where p is 
a list of patterns and t is a term called the right-hand side. A pattern 
is a term or a list of terms that is built from only (fully applied) 
constructors and (non-applied) variables, which we call the pattern 
variables. In dependent pattern matching, patterns can also contain 
inaccessible patterns, which can occur when there is only one type- 
correct term possible in a given position. Like Norell (2007), we 
mark inaccessible patterns as [t\ . For example, let Square n be 



{zero i— > zero 
, , J sue zero i— > zero 

^ — ' 1 sue (sue k) i— > sue (half k) 



Figure 3. A representation of the function half by a case tree. At 
each internal node, the variable on which the case split is performed 
is underlined. 



I ~2 r -j s s -<t 

U -< c ti . . . t„ f s -<t r -<t 

Figure 4. The structural order -< is used to check termination 
(Goguen et al. 2006). 

an inductive family with one index n : N and one constructor 
sq : (m : N) — > Square m 2 . Then [m 2 J (sq m) is a pattern of 
type (n : N)(p : Square n). Any other pattern (sq m) would 
be ill-typed, so the use of an inaccessible pattern is justified. We 
also define an operation \p] taking a pattern p back to its underlying 
term. 

Case Trees. A definition by pattern matching consists of one or 
more case splits. We represent these case splits by a case tree. The 
nodes of a case tree for a function f : A -> T are labeled by patterns 
of type A, where the label of the root node consists of variables 
only. Each internal node of a case tree corresponds to a case split, 
while each leaf node corresponds to a clause of the definition. An 
example of a case tree is given in Figure 3. 

Using case trees has a number of advantages. First, the patterns 
at the leaves of a case tree always form a covering, hence case trees 
guarantee completeness. Secondly, they give an efficient method 
to evaluate functions defined by pattern matching. Thirdly and 
most importantly for our purposes, each internal node in a case 
tree corresponds exactly to the application of an eliminator for an 
inductive family, so constructing a case tree is a useful first step in 
the translation of dependent pattern matching to pure type theory as 
demonstrated by Goguen et al. (2006). 

Structural recursion. In order to guarantee termination, functions 
are required to be structurally recursive. This means that the 
arguments of recursive calls should be structurally smaller than 
the pattern on the left-hand side. The structural order -< is defined 
in Figure 4 . For functions with multiple arguments, the function 
should be structurally recursive on one of its arguments, i.e. there 
should be some k such that Sk ~< Pk for each clause f p = t and 
each recursive call f s int. 

3.3 Homogeneous telescopic equality 

There is a reason why it is hard to see where exactly the K axiom 
is used in the translation from pattern matching to eliminators 
by Goguen et al. (2006): they do not use the axiom directly, but 
instead depend on the heterogeneous propositional equality. The 
heterogeneous equality allows the formation of equalities between 
terms of different types, but still only allows a proof when the types 
are in fact the same. This heterogeneous equality is convenient for 
expressing equality between sequences of data in a given telescope. 
Unfortunately, the elimination rule for this heterogeneous equality 
proposed by McBride is equivalent with the K axiom (McBride 
2000). Heterogeneous equality (and its elimination rule) is used 
almost everywhere in the translation, making it impossible to see 
where the K axiom is really needed. So instead we work with the 
homogeneous propositional equality and the standard J eliminator. 

Working with homogeneous equality also means we have to 
work a little harder to express equality of two sequences of terms in 
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the same telescope. We define telescopic equality s = t inductively 
on the length of the telescope as follows: 



0 



0 
tit 



:= (e : s = t)(e 



(18) 



where e* (si;...;s n ) := (e* si;...;e* s n ). Note that the 
substitution e* is needed to make the equation between s and i again 
homogeneous. Telescopic inequality is defined by s ^ t := sst-> 
_L. For each f : A, we define ref 1 : t = i as ref 1; . . . ; ref 1. We 
also have the telescopic eliminator 

J : [P : (s : A) f = s -> Set*) 

P f ref 1 ->(s:A)->(e:fEs)->Pse 



(19) 



It is defined by eliminating the equations e from left to right using J. 
Each elimination of an equation d : n = s, fills in ref 1 for all 
occurrences of ej, allowing the next equations to reduce and in 
particular ensuring that the following equation is of the correct 
form. Telescopic substitution subst is defined by dropping the 
dependence of P on f = s in the definition of J. Again, we write e* 
for subst P e when P is clear from the context. A formalization 
of homogeneous telescopic equality and the constructions in this 
section can be found in the file TelescopicEquality . agda in the 
supplementary material. 

3.4 A few homogeneous constructions on constructors 

McBride et al. (2006) developed tools for working with induc- 
tive families of datatypes: case analysis, recursion, no confusion 
(subsuming both injectivity and disjointness), and acyclicity. In 
this section, we present these rules adapted to work with homo- 
geneous instead of heterogeneous equality. We refer to the ap- 
pendix for the actual construction of these tools, as the differ- 
ences with the work of McBride et al. are minor and rather techni- 
cal. A computer-checked version of these constructions for some 
concrete data types (binary trees, dependent sums, finite sets, the 
identity type, and indexed containers) can be found in the file 
ConstructionsOnConstructors . agda in the supplementary ma- 
terial. For the rest of this section, let D : 5 — > Seti be an inductive 
family. 

Case analysis case D is a weakened version of the standard elimi- 
nator elim D that we get by dropping the inductive hypotheses of 
the methods. For example, cases has type 



(P : N -> Seti) 
(m snc : (n : N) 



* (m Z ero : P zero) 
P (sue n)) — > (n 



P n 



(20) 



Recursion is given in two levels. First, for x : D u, Below D P u x 
is a tuple type that is inhabited whenever P v y holds for 
all y : D v which are structurally smaller than x : D u. For 
example for N, we have Belown P zero = T (the unit type) 
and Belown P (sue n) = Below^j P n x P n. Secondly, the 
helper function below D constructs this tuple: 



below D : [P : (x : D) — > Seti) ~> 
((x : D) — Y Below D P x 
(x : D) -» Below D P x 



Px) 



(21) 



Finally, 

rec D : (P : (x : D) — > Set,) — > 

((x : D) -> Belowo Pi->Pi)-> (22) 
(x : D) — > P x 

is used for well-founded recursion over values of type D. 



No confusion is also given in two levels. First, NoConf usion D : 
D — > D — > Set,j is a type such that 

NoConf usioriD (u: c s) (v: c t) = a = t 

(23) 

NoConf usioriD (u; c s) (v;c t) — _L (when c/c) 

Secondly, we construct 

noConf D : (x y : D) — > x = y — > NoConfusion D x y (24) 

We also construct an inverse 

noConf d 1 : [x y : D) — > NoConfusionD x y — > x = y (25) 

and give a proof isLeftInv D that (noConf D _1 x y) o 
(noConf x y) is the identity on is y? The need for this inverse 
will become clear when we construct the unification transitions 
in Section 3.5. 

Acyclicity is yet again given in two levels. First, x yt y is defined 
as a tuple type stating that x : D is not structurally smaller than 
y : D. For example, x ■ft 2 = (x ^ 0) x (x ^ 1). Secondly, 
noCycle D : (x y : D) — Y x = y — > x -ft y states that no term 
can be structurally smaller than itself. 

Basic analysis. Note that elim D , case D , and rec D are all El- 
elimination operators, i.e. for a motive P : D — > Setj they return 
something of type (u : H)(x : D u) — >■ P (u;x). However, 
we often need a return type where the indices u of x are more 
specialized, for example to construct a function of type (k : N) (y : 
k < zero) — > zero = k. McBride (2002) solves this problem by 
adding the constraints on the indices as additional arguments to the 
motive P, and filling in ref 1 as soon as the constraints are satisfied. 
This technique is called basic analysis. In the example above, the 
basic case< -analysis of zero = k at k; zero; y has type 

(mi : (m : N)(fc : N)(y : k < zero) -> 

(zero; m; lz m) = (fc; zero; y) — > zero = k) — > 

(m,2 : (m n : N)(x : m < n)(k : N)(y : k < zero) — > 

(sue m; sue n; Is m n x) = (fc; zero; y) — > zero = k) — > 

(k : N)(j/ : k < zero) — > zero = k 

(26) 

Note that applying case< directly to y : k < zero would lead 
to loss of the information that the second index of y is zero, thus 
leaving us unable to provide mi and mi. 

In general, let elim be any H-elimination operator, and suppose 
we want to construct a function of type A — > $ by applying this 
eliminator to i where A h t : S. Then we apply elim to the motive 
A(s : 3). A — > s = t — > $. Filling in i for s and ref 1 for the proof 
of s = i gives us the basic e I im-analysis of<& at i: 



Ami; . . . ; m n ; x. 
elim (As. A — > s 
which is of type 

(mi : AiA 
(m„ : A n A 



t — > $) mi . . . m n t x ref 1 



— > s\ = t — > 
-> s n = i- 



. $) 



->• A ->• $ 



(27) 



(28) 



Basic analysis will be used thoughout the proof: once with rec D 
for structural recursion, and once with case D for each case split. 

3.5 Unification without K 

In order to translate a node of the case tree to the application of an 
eliminator, we need terms that give an account of the unification 



2 We could also prove that (noConfo x y) o (noConfo -1 X y) is the 
identity on NoConfusionD £ y, thus establishing that noConf d x y is an 
equivalence. However, this is not needed for the present work. 
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solution :($:(£: A)(e : Xq = x) — > Set;) — > 

(m : $ xo ref 1) — > 

(x : A) (e : xo = x) — > $ x e 
solution ^mxe — JAxo^mxe 

injectivity :(<£>: (e : u 3 ; c s = u^; c t) -> Set;) — > 
(m : (e : s = t) 

— > $ (noConf D _1 (u s ; c s) (ut; c t) e)) — > 
(e : u s ; c s = Ut ; c i) — >• $ e 
injectivity $ m e = (isLeftlnvD (m s ; c s) (tit; c i) e)* 
(m (noConf D (u s ; c s) (tit; c t) e)) 

conflict : ($ : (e : u s ; Ci s = u t ; c 2 t) ~ > Set;) — > 

(e : u s ; Ci s = u t ; c 2 f) — > $ e 
conflict <E> e = elimx (A_. $ e) 

(noConfo (u s ; ci s) (ut; c 2 f) e) 

cycle : ($ : (e : u; x = «; c s[a;]) — > Seti) — » 

(e : u; x = v; c s[x]) — > $ e 
cycle <E> e = elimx (A_. "I 1 e) 

(7r (noCyclen (w; x) (v; c s[x]) e) refl) 

(where 7r : u; x ^ v; c s[x] — > m; a; ^ ii; a;) 

Figure 5. The unification transitions represented as type-theoretic 
terms. Compared to the transitions given by Goguen et al. (2006), 
these work with the homogeneous equality and $ has an additional 
dependence on the equality proof. While these unification transitions 
are the most general ones we can construct, they are not the ones 
that we use for case splitting in practice. Rather, injectivity, 
conflict, and cycle are replaced by their more specialized 
variants injectivity' (33), conflict' (34), and cycle' (35). 



process inside of type theory itself. In order to do this, we use 
the "no confusion" and "no cycle" properties from the previous 
section. The unification transitions are given in Figure 5. A computer- 
checked construction of them for some concrete data types can be 
found in the file Unification . agda in the supplementary material. 
Compared to Goguen et al. (2006), working with homogeneous 
equality leads us very naturally to upgraded unification transitions 
which are dependent on the equality proof. For example, consider 
a context H = (a : A)(b : B a) and a H-elimination operator 
elim. Basic elim-analysis requires us to construct methods of type 
A — > a; b = a'; b' — > T, or if we expand the definition of telescopic 
equality: 

(e a : a = a) -> (e„)* b=b' -> T (29) 

The motive for eliminating a = a' is (e a ), 6 = 6' — > T, which 
depends on the proof e a . So the dependence of $ on the equality 
proofs is caused by the need to use substitution in the definition of 
homogeneous telescopic equality. Intuitively, it is not surprising that 
not assuming UIP leads us to consider identity proofs relevant! 

The first thing we want to point out about Figure 5 is the lack 
of a deletion transition. The non-dependent version of deletion 
given by Goguen et al. (2006) has type 

($ : Set,) (m : $) -> (e : x Q = xo) -> $ (30) 



which can be constructed without K but would be quite useless in 
our situation because $ cannot depend on e. In contrast, a dependent 
deletion rule would look like 

deletion : ($ : (e : Xo = Xo) — > Seti) — > 

(m:$refl)-» (31) 

(e : xo = xo) — s> $ e 

which is exactly the K axiom. This is the reason for the first 
restriction on the unification algorithm in our criterion, namely 
that the deletion rule cannot be used. 

A second point of interest in Figure 5 is the type of $ in the 
injectivity function: it is indexed over the equality proof of the 
indices u s and ut as well as the equality proof of c s and c i. But this 
does not correspond exactly to the injectivity rule from Section 2.1. 
Rather, we need a more specialized version of injectivity where 
the indices u s and Ut are already definitionally equal: 

injectivitybad : ($:(e:csEci)-> Seti) — >• 

(m : (e: s = t) ->$???)) -> (32) 

(e:cs = ct)— >$e 

However, unlike injectivity such a function can not be con- 
structed from noConf D . This is because in order to fill in the ques- 
tion marks, we need a function j : se(-> c ssci such that we 
can prove g (noConf D (tt s ; c s) (u t ; c t) refl e) = e for arbitrary 
e, but no such g can be found. In fact, wrongly using this transition 
caused a bug in Agda's -without-K option, allowing one to prove a 
weaker version of the K axiom (Cockx 2014). 

What we can construct from noConf D is the following: 

injectivity' : ($:(e:«;csE!i;ct)-> Seti) — > 

(m : (e : s = t) — > 

-i _ (33) 

$ (noConf D («; c s) (u; c t) e)) — > 

(e : c sec() ->$ refl e 

This rule is simply a specialized version of the inj ectivity rule in 
Figure 5. However, there is still a problem with this rule. Suppose we 
want to use it to construct a function of type (e:cs = cf)— >$'e 
where $' : c s = c t — > Set;, and we want to apply injectivity' . 
Then we need to find "!> : u;c s = u;c i — > Seti such that 
$ refl e = $' e for arbitrary e : c s = c i . This is problematic 
because we cannot eliminate the equations u = u in general without 
using the K axiom. This is the reason for the second restriction on 
the unification algorithm in our criterion, namely that the indices 
u should be self-unifiable. This condition guarantees that we can 
construct $ from <t>' by applying the unification transitions used in 
the self-unification of u by applying specialization by unification 
(see below). 

At first sight, the conflict and cycle rule suffer from the same 
problem as the injectivity rule because their motive $ depends 
on the proof of u s = ut as well. However, in these cases the 
problem can be solved because both conflict and cycle factor 
through the empty type _L. To illustrate this, suppose we want to 
construct a function of type (e : ci s = c 2 t) — > $' e. First we 
apply conflict with $ = Ae. _L, giving us a function of type 
(e : u; ci s = u; c 2 t) — > _L. Filling in refl for the equations u = u 
gives us (e : ci s = c 2 t) — > _L. Now by _L-elimination, we also get 
a function (e : ci s = c 2 t) — > $' e. This gives us the following 
rule: 

conflict' : ($ : (e : ci s = c 2 t) — > Seti) — > 
(e : ci s = c 2 t) — > $ e 
Analogously we can construct a function 

cycle' : ($ : (e : x = c six]) — > Seti) — > 

-m l- ^ 
(e : x = c s[x\) — > <P e 



264 



In our proof, we will use the primed variants injectivity ', 
conflict ' , and cycle ' . 

Specialization by unification. Given any type of the form A — > 
u = v — > T (for example the types of mi , . . . , m n in the basic 
case D -analysis), we may seek to construct an inhabitant of this 
type, called a specializer, by exhaustively iterating the unification 
transitions as applicable. In case of a positive success, a specializer 
is found, given some m : A' — > To where a : A' — > A is a 
substitution. In the case of a negative success, a specializer is found 
without any additional assumptions. 

The solution rule removes one variable from A, while 
injectivity' keeps it the same. Hence in the case of a positive 
success we have A' C A, and a is idempotent. So for any i : A, 
we can define an inverse a^ 1 [t\ : A' by selecting the variables of 
A' from A. If specialization by unification delivers a specializer s 
satisfying 

(m:A'.Tff)hs:A->MEi)->r (36) 

and i : A is such that u[A i->- t\ = v[A h-» t\, then we have 
s i ref 1 m o~ 1 [t\. It is clear why this holds for solution, it 
also holds for injectivity' since both noConf and isLef tlnv 
map ref 1 to ref 1, hence injectivity' $ m ref 1 ~-> m ref 1. 

3.6 From case trees to eliminators 

Now we use the tools described in the previous sections to translate 
a function f : (t : A) — > T given by a structurally recursive case 
tree to another one f ' : (t : A) — > T constructed from eliminators 
only. As a running example, let f = antisym from Definition (5). 
For this example, we have A = (m n : N)(x : m < n)(y : n < m) 
and T — m = n. Define {e} f f ' by replacing all occurrences of f 
by f ' in e. Then we have moreover that f ' satisfies f ' t {u} t f ' 
whenever f i u, i.e. it has the same reduction behaviour as f . 

Without loss of generality, let f be structurally recursive on 
some tj : D v, the jth variable in A. In our example, antisym is 
structurally recursive all four arguments, so we arbitrarily choose to 
do structural recursion on x : m < n. The basic rec D -analysis of T 
at v; tj is 

Am"; i. rec D P m s (v; tj) i ref 1 (37) 

which has type 

<m s : (x : D) — > Below D 

(F:A)-T (38) 

where P — Xx. (t : A) — > x = V; tj — > T. In our example, we 
have P = Am'; n'; x' . A — > (m'; n'; x') = (m; n; x) — > m = n. 

Suppose we have an m : (i : A) — > Below D P (v; tj) — > T, 
then we construct m s : (x : D) — > Below D P x — > (t : A) — s> 
x = V; tj — > T by applying the telescopic equality eliminator J on 
the equations x = v;tj. More precisely, m s is defined as 

Xx; H; t; e. J (Ax; e. Below D P x T) (ml) (sym e) H (39) 

where sym : x = y — ?> y = x. For any t : A, we have 

m s (v;tj) H irefT mi H (40) 

We will define f ' as 

At rec D P m s (v;t,) i reiT : (i : A) ->■ T (41) 

once we have constructed a suitable m. Note that m may make 
'recursive calls' to f ' on arguments structurally smaller than tj 
using its argument of type Below D P (v; tj). Also note that 

f ' i rec D P m s (v; tj) i ref 1 

m s (v;tj) (below D P m s (v;tj)) i refl (42) 

m t (below D P m 3 (v; tj)) 



In order to construct m, we proceed by induction on the structure 
of f 's case tree. So suppose that we have arrived at some node with 
label p where p has pattern variables from a context O and we 
wish to construct m : O — > Below D P (v;tj)r — > Tt where 
t — [Ah \p]] - Note that we have O — A at the root node. There 
are three cases: 

Internal node. In this case, the context is split on some variable 
y where O = &i(y '■ D' v y )G>2 and D' is an inductive family. 
The basic case D > -analysis of Below D P (v; tj)r — > Tt aiv y ;y 
has type 

... —¥ 

(m c : (s : A c ) ->9->u s ;csEji s ;i;-> 

Below D P (v; tj)r -> Tt) -> (43) 
... —¥ 

B -> Below D P (v; tj)r -> Tt 

where there is one method m c for each constructor c of D ' . In 
our example, the first case split is on x : m < n, and the basic 
case< -analysis has type 

(miz : (k m n : N)(x : m < n)(y : n < m) —¥ 

(zero; k; lz k) = (m; n; x) — ¥ 

Below Pmnx^m = n) 
(mi s :{kl: N)(w : k< I) -> 

(m n : N)(a; : m < n)(y : n < m) — > (44) 

(sue k; sue l;ls k I u) = (m; n; a;) — > 

Below Pmnx^m = n) 
(m n : N)(x : m < n)(y : n < m) 
Below Pmnx^m = n 

To construct the methods m c , we apply specialization by uni- 
fication on the equations u s ; c s = v y ;y, which we know will 
succeed by definition of a valid case tree. For the method 
m lz above, the first step is to apply solution to the equation 
zero = m, simplifying the goal type to 

m' lz : (k n : N)(x : zero < n)(y : n < zero) — ¥ 

(k; lz fc) = {n; x) —¥ (45) 
Below P zero ni-> zero = n 

As another example, later on conflict is applied to the equa- 
tion sue I = zero to construct a function 

mi z; i s : (k I : N)(u : k < l)(y : sue k < zero) 

(sue I; Is k I u) = (zero; y) — > 

Below< P zero (sue k) (lz (sue k)) — > 

zero = sue k 

For each c with positive success, we have to deliver a 

m' c : 6' -5> Belowo P (v; tj)ro — > Ttct (47) 

where a : O' — > A c 0 is the substitution found by unification. 
But the inductive hypothesis for the subtree corresponding to 
the constructor c gives us exactly such a function. For m l2 , the 
goal type becomes 

m" z ' : (k : N){y : k < zero) -> 

Below P zero k (lz fc) — > zero = fc 

after applying solution two more times, at which point we 
proceed with another case split on y. 
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For any t\\ c s\t% : Oi(j/ : D' u y )02, we have 

m (fi ; c s; f^) ~>* m c s (t\\ c s; f?) ref 1 

* , -ir_- - n ( 49 ) 
~> m c <r [s; ti; c s; t 2 J 

Empty node. We follow the same construction as in the previous 
case, noting that all unifications will succeed negatively, hence 
no methods m c are needed. Absurd clauses have no right-hand 
side, so they describe no reduction behaviour. 

Leaf node. At each leaf node, we have the right-hand side A ; h 
e; : Tt. We wish to instantiate m% = As; H. e*, but e, may still 
contain recursive calls to f . In our example, the goal type for 
the second leaf node is 

m 2 :(kl: N)(u : k < l)(v :/<&)—> 

Below< P (sue k) (sue I) (is k I it) -¥ (50) 

sue k = sue I 

and the right-hand side is cong sue (antisym k I u v). We 
first have to replace these recursive calls by appropriate calls 
to H : Below D P (v; tj)r. So consider a recursive call f f in 
eu Since f is structurally recursive, we have rj -< \pij~\ where 
rj : D w. By construction of Below D , we have a projection tt 
such that 7r H : (t : A) — > w; rj = v; tj — > T. Hence we can 
define e£ by replacing f f by tt H f ref 1 : T[A >-¥ f] in ei, 
and take mi = As; If. e^. For antisym, we have 

7ri : (m n : N)(a; : m < n)(y : n < m) — > 

(k; I; u) = (m; n; x) — > m = n 

so we replace the recursive call antisym k I u v by 
7Ti H k I u v ref 1. 

When we fill in H = below D P m a (v; tj), we get 
7r (below D P m a (v; tj)) f ref 1 

m 3 (w;rj) (below D P m a (w;rj)) f ref 1 (52) 
m f (below D P m" (w; rj)) = f f 

By induction, we now have the required m : (t : A) — s> 
Below D P v x —> T, thus finishing the construction of f ' . 
For each clause 

f Pi = e, (53) 
with pattern variables s : A t at a leaf node of f 's case tree, we have 
f ' \pi\ m fpi] (below D P m a u \pij] ) 

m c . . . (working our way down the case tree) 
~»* mi s (below D P m a u \pij\) (54) 
e^[7if i — ^ belowo P m a u \pij~\] 
{ei}f f ' 

Hence we can conclude that whenever f t U, we also have 
f ' i ~>* {u} f f ' , as we wanted to prove. 

4. Making pattern matching without K less 
restrictive 

In Section 2.3, we remarked that our criterion was more general than 
the syntactic one. However, it still has some problems of its own. 
Suppose for example we are working with the inequality < indexed 
over finite sets Fin n, and we try to unify two successors in the same 
finite set. The problem fsni = fsnj requires solving n = n, 
but then we get stuck because we cannot use deletion. It can be 
proven that K is not really needed for this example, so the criterion 
is still overly conservative. We now discuss a possible solution to 
handle cases like this one. 



K N : (n : N)(P : n = n -¥ Set) -t 
P ref 1 — > (e : n = n) — ► P e 
zero P p ref 1 = p 

Kn (sue n) P p e — subst P (add-drop e) 



(Km n (P o add) p (drop e)) 

where 

add : n = n — > sue n = sue n 

add = noConfpj -1 (sue n) (sue n) 

drop : sue n = sue n — > n = n 

drop = noConf^ (sue n) (sue n) 

add-drop : (e : sue n = sue n) — > add (drop e) = e 

add-drop = isLef tlnvpj (sue n) (sue n) 



Figure 6. A proof that the type N of natural numbers satisfies K, 
using dependent pattern matching with our criterion. The match on 
ref 1 in the first clause passes our criterion because the unification 
problem is zero = zero, which can be solved by injectivity. The 
recursive call to Kh in the second clause is permitted because the 
first argument decreases from sue n to n. We use the functions 
noConf , noConf _1 and isLef tlnv constructed from eliminators 
in the appendix, but we could define these functions using pattern 
matching as well. 



Looking back at the construction of the unification transitions 
in Section 3.5, we disallowed using deletion on an equation x — x 
because in general this requires assuming K. However, for certain 
types of x, K can actually be proven without assuming it as an axiom. 
These types are called (homotopy) sets in HoTT. For example, N is 
a set (see Figure 6 for a proof of this fact), so it would be fine to 
use deletion on n = n when n : N. This would already solve the 
problem described above. 

The question then remains how to detect which types are sets and 
which are not. One possible solution is to require the user to prove 
K manually for a particular type, and then use this proof during 
unification by means of a typeclass-like system such as given by 
Devriese and Piessens (201 1). 

A nicer, but probably also harder approach is to try to detect sets 
automatically. This problem is very hard in general, but we could 
at least try to detect easy cases like N, using Hedberg's theorem or 
a generalization of it (Kraus et al. 2013). Hedberg's theorem states 
that if a type A has decidable equality, then it is a set. In particular, 
if D is a simple (non-indexed) data type such that each constructor 
is of the form c : A c — > D D — s> D where all of the 

types in A c have decidable equality, then D itself also has decidable 
equality, hence it is a set by Hedberg's theorem. For example, this 
can be used to see that N is a set. This criterion can be used to 
reintroduce the deletion step of the unification algorithm on a more 
limited basis, namely to delete an equation x — x only if the type 
of x can be seen to be a set based on the criterion. 



5. Related work 

Most implementations of dependent pattern matching in the style 
of Coquand (1992) do this by assuming the K axiom. Examples 
include Agda (when -without-K is not enabled), Idris (Brady 2013), 
and the Equations package for Coq (Sozeau 2010). 

Coq also support a more primitive notion of pattern matching via 
the match construct in Gallina (The Coq development team 2012). 
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The full version of this construct is 

match e as x in D tt return P with 

| Ci j/i =>• ei 

| ... (55) 

| C71 2/n — 

end 

In the language of this paper, this corresponds to 

case D (\u;x. P) {Xyi. ei) ... (\y n - e„) e (56) 

Coq also allows skipping the parts labeled by as, in, and return, in 
which case it will attempt to construct the motive P automatically. 

Note that the motive P must be fully generalized over the indices 
u, ensuring that no unification is necessary. Hence this kind of 
matching also prevents us from proving K. However, it is more 
low-level than the kind of pattern matching described in this paper, 
because it requires the user to give each case split explicitly, and 
does not perform any unification. 

An unpublished first version of dependent pattern matching by 
McBride (1998) also used homogeneous equality with telescopic 
substitution and hence a proof-relevant unification algorithm. Sim- 
ilar to our present work, he observes that the innocent-looking 
deletion rule turns into the rather less innocent K. However, the 
published version of this work uses the heterogeneous equality, thus 
making it rely on K. 

6. Conclusion and future work 

Dependent pattern matching is an important tool for writing depen- 
dency typed functions and proofs in a readable way, but so far it 
needed the K axiom to function. What this paper shows, is that there 
is no need to throw away the baby with the bath water: by carefully 
analysing where K is used, we can give a restricted formulation of 
dependent pattern matching that does not need it. We hope that this 
is enough to convince the HoTT community that pattern matching 
does not require K an sich, and maybe even helps in the creation of 
a practical language based on HoTT. 

One thing we noticed during the writing of this proof is how 
easily a small mistake can have grave impact on the soundness. For 
example, it was only after a long time that we realized just disabling 
deletion was not enough, but that the injectivity rule also subtly 
depends on K. To increase our confidence, we should make the 
type checker of our languages perform the translation from pattern 
matching to a core calculus in practice. This is already done in the 
Equations package for Coq by Sozeau (2010), but they still need 
the K axiom for the translation. It would be interesting to see if 
our criterion could be integrated into this approach. Another very 
appealing idea is to write a compiler for dependent pattern matching 
inside the type theory by means of datatype-generic programming 
as described by Dagand (2013). 

Our criterion makes it possible to do pattern matching on 
regular inductive families without assuming K. But HoTT also 
introduces the concept of higher inductive types, which can have 
nontrivial identity proofs between their constructors. This implies 
that in general they do not satisfy the injectivity, disjointness, or 
acyclicity properties. Luckily, the proof given in this paper is entirely 
parametric in the actual unification transitions that are used. So in 
order to allow pattern matching in a context with higher inductive 
types, we should just limit the unification algorithm further. Our 
present paper gives a glimpse of how a theory of pattern matching 
with higher inductive types might look like, but future research will 
have to show how much of the original pattern matching algorithm 
can be salvaged. 
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A. A few homogeneous constructions on 
constructors 

Case Analysis. case D is given by dropping the inductive hypothe- 
ses from the eliminator, i.e. it is itself a D-elimination operator with 
methods 



nn : (t: Aj) -> 

(xi : #u -t D vn) 

P Ui (Ci til ... X n 

for i — 1, . . . k. 



(Xr, 



Dti ini )-> (57) 



Recursion. In order to define Below D P, we apply the eliminator 
elim D to the motive $ = A _. Set;. For the method rrn correspond- 
ing to the constructor ci we give the following: 

m, = Xi; xi ; . . . ; x Hi ; hi ; . . . ; h ni ■ 

-> hi $ii x P vn (xi $«,)) x . . . (58) 

X ->■ ^ ^in; X P V t „ t (X„ t <&in;)) 

i.e. Below D P x is a tuple asserting P y for all y structurally smaller 
than x. Next, to define below D P p, we apply elim D with the motive 
Below D P. We give the following for the method rrn\ 

m» = At; xy, . . . ; x ni ; /ii; . . . ; h ni ■ 

(A$a- /ii p Vn xi (hi $ii)), . . . , (59) 

(A$ On; $in;)) 

Finally, we define rec D P p D := p D (below D P p D). 

No Confusion. First, we define NoConf usion D a b by applying 
case D with the motive A _. Set; on a. For each method m L i, we 
apply case D again with the same motive, but this time on b. This 
gives us k 2 methods rriy to fill in, one for each pair of constructors. 
On the diagonal (where i = j) we define ma = Xx; x . x = x', 
and if i ^ j we simply give = Xx;x'. _L (the empty type). 
Next, we define noConf D a b. By telescopic substitution subst 
with motive NoConf usion D a, it is sufficient to give a function of 
type (a : D) — > NoConf usion D a a. But this can be done using 
case D with motive A a. NoConf us ion D a a: for each method rrii x 
we can fill in ref 1. 

For the inverse noConf D _1 a b, we need to do a little more work. 
First, we apply case D twice as in the definition of NoConf usion D . 
Now we are left to give methods 



%ij : NoConf usiono (u»; ci x) (ujjCj x 
Ui (Ci x) = Uj (cj x) 



(60) 



When i ^= j, this is easy: we get an element of type _L from 
NoConf usion D , from which we can conclude anything. On the 
diagonal (where i — j) we get a proof of x = x . Applying subst 
to this equality leaves us the goal u'j (cj x') = u'j (cj x), which 
we can fill in with ref 1. Finally, we prove that this is indeed a (left) 
inverse by constructing a function of type 



(a b : D)(e : a = b) — > noConf D 1 a b (noConf D a b e) 



By J, it is sufficient to give a function of type 

(a : D) — > noConfo 1 a a (noConf d a a ref 1) = ref 1 (62) 



But this we can do by applying case D with methods rrii x = ref 1. 

Acyclicity. The relation ft is defined using Below D ^ a ft b _:= 
Below D (Aft', a ^ b') b. We also define a b := a ft b x a ^b. If 
i:Du and y : D v then we often write x ft y and x j£ y instead of 
u;x ft v;y and u; x j£ v; y to avoid having to write too much clutter. 
Note that x ft c± Aj si ... s ni = ($,:! — >• s ^ £Ci x . . . x 
— > x ^ a; ni ^in;) by definition of Below D and j£. Now to 
construct noCycle D , we start by eliminating the equation a=b using 
J, which leaves us the goal (a : D) — >• a ft a. Next we apply elim D 
with motive Xa. a ft a, producing for each constructor Ci : Aj — > 

-» D (*i„ 4 -+ D w jri4 ) -> D Ui the subgoal 

(t : A») -> (a:i : $;i — > D Bji) • • • (x ni ■ $i n< D «i„J 
(/li : $ii Xi $ii < Xi $a) • • • (Vj : *m, x„ z $ ini ^ 

^inj -> ci ( ii ... x ni ft Ci t xi ... K ni . In order to 
continue, we first define the auxiliary types Stepij : Aj — > (a;a : 
$a — > D Bii) ... (x ni ■ D Vint) -t $ij — > D — > Set d 

for i = 1, . . . , fc and j = 1, . . . , rii as follows: 

Stepij tn ... x ni $y (w; b) = 

(a;j $y) ^ 6 -> (ci t asi . . . x n% ) ^ & 

Now suppose that we can construct stepij : (t : Aj) — > (xi : 



$a D vu) . . . (x nt : *m 4 -i> D i>i„J 



(a :D) 



Stepij t xi ... x ni $ij a. Then we can solve the subgoal by 
filling in 

Xi; x; h. 

(A$;i. stepii t x $;i vn {xi $a) (hi *«)), 



(64) 



(A$ ini - step ini t a; $ ini «;„, (a; nj $ <nj ) (ft nj $in;)) 



So we only need to construct the step i;j . The construction of 
stepij t Xi ... x ni $ij : (a : D) — > Stepij t Xi ... x ni $; 3 ' a 
proceeds by applying elim D with motive Stepij txi ... x ni 
The new subgoals are of the form 

(? : Ap)(a;i : $ pl ->• D « pl ) ... « p : $J,„ p -> D v' pnp ) -»■ 
(fti : (si : <&pi) Stepij ti $y « pl (a;'i si)) . . . 
(hn p ■ (\ : $pn p ) Stepij f x Sp 7lp (x^ 4 P )) -> 
Stepij F a; $ij w p (c p ? a;') 

(65) 

We solve them by giving: 

Xi';x' 1 ;...;x' np ;h 1 ;...;h„ p ;H. a, /3 (66) 
where we still have to construct 

a : ci i xi ... x, H ft c p i Xi ... a; np (67) 

and 

/3 : Ci t xi . . . a; ni ^ c p t' a;i ... a4 p (68) 
For any s : $;j, we have H : Xj s ft c p A p xi ... a;„ p or, by 



definition of ft, H = (i^i, . . . , #n p ) where 



V<i> 



(61) 



a;^ s ^ x„ s . The construction of a reduces to the construction 
of components a q : $ p9 c± t xi ... a; ni j£ a;^ $ P9 . But 
these we can give as a q — As'. h q (ni (H p s')) (where 7Ti is 
projection onto the first component). For constructing /3, we assume 
ci i xi ... x ni =c p f a;i ... a; n!) and derive an element of _L. By 
noConf D , it suffices to consider the case where i = p, A; = A£, and 
a;i ; . . . ; x ni = x[, . . . , x' n . . But then we have Hj s : Xj s ^ Xj s, 
hence tt2 (Hj refl : _L. This finishes the construction of 

noCycleD. 
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